Background

Description

When certain CHM files that contain tables and objects stored in pages
are parsed by CHMlib, an unsanitized value is passed to the alloca()
function resulting in a shift of the stack pointer to arbitrary memory
locations.

Impact

An attacker could entice a user to open a specially crafted CHM file,
resulting in the execution of arbitrary code with the permissions of
the user viewing the file.